The cybersecurity company ESET has revealed that the Iran-linked OilRig group has deployed new malware to gather credentials.
APT34, also known as OilRig, Lyceum, or Siamesekitten, is a cyber espionage group believed to be primarily based in Iran and has been active since at least 2014. The group targets various sectors, including governments in the Middle East, as well as industries such as chemistry, energy, finance, and telecommunications.
Here are two attacks by the advanced persistent threat group!
ESET researchers examined two attacks by the Iran-linked OilRig APT (Advanced Persistent Threat) group: "Outer Space" from 2021 and "Juicy Mix" from 2022. Both of these cyber espionage attacks were specifically targeting Israeli organizations. This targeting confirms the group's focus on the Middle East, and both attacks utilized similar methods. OilRig initially compromised the security of a legitimate website to use it as a Command & Control server and then distributed post-breach tools commonly used for data exfiltration from targeted systems. They particularly utilized Windows Credential Manager and major browsers to collect credentials, cookies, and browsing history.
In the Outer Space attack, OilRig used a previously undocumented C#/.NET backdoor called Solar and a new downloader called SampleCheck5000 (or SC5k) that utilized Microsoft Office Exchange Web Services API for Command and Control communication. The threat actors further developed Solar into a more capable and stealthy backdoor named Mango for the Juicy Mix attack. Both backdoors were likely spread via targeted phishing emails. ESET not only detected the malicious toolset but also informed the Israel CERT about compromised web servers.
ESET named the backdoor "Solar" based on an astronomical terminology naming scheme for function names and tasks. They named the other new backdoor "Mango" based on internal fictional names and file names. The Solar backdoor has basic functionalities, including downloading and executing files and can be used to automatically unpack staged files. Before activating Solar, an Israeli human resources company's web server was used as the Command and Control server, endangering its security.
"The purpose of this technique is to prevent endpoint security solutions from loading user-mode code hooks in this process through a DLL."
OilRig transitioned from the Solar backdoor to Mango for the Juicy Mix campaign. Mango has a similar workflow and overlapping capabilities with Solar, along with some significant technical changes. ESET discovered an evasion technique in Mango that was not used in Solar.
Zuzana Hromcová, one of the ESET researchers who analyzed the two attacks by OilRig, stated: "The purpose of this technique is to prevent endpoint security solutions from loading user-mode code hooks in this process through a DLL, even though parameters were not used in the sample we analyzed, it could be enabled in future versions."
